Change governance for any database

Ship database changes
without the fear.

Qodara turns raw production edits into a governed workflow: draft → review → dry-run preview → apply → revert. Snapshots before every write. An audit line for every action. And a read-only AI copilot that actually knows your schema.

0%of actions audited
0standing write access
0execution modes
0click to revert

Built for teams that treat the database like production code

REVIEW GATES DRY-RUN DIFFS SNAPSHOTS ONE-CLICK REVERT FULL AUDIT TRAIL READ-ONLY AI

The workflow

Every change earns its way to production

Click through a change request's life. Or just watch — it plays itself.

change-request · draft
"collection": "invoices", "operation": "updateMany", "filter": { "currency": { "$exists": false } }, "update": { "$set": { "currency": "USD" } }

Author in the mode that fits the change

Native operation JSON, sandboxed JavaScript, versioned migration scripts, Python, or template updates. Syntax is checked on submit — broken changes never reach a reviewer.

review · pending
NA
Noura Al-Qahtani ✓ Approved

"Filter is scoped correctly, preview counts match expectation."

FH
Fahad Al-Harbi ● Requested

Notified in Slack · 2 min ago

✗ author self-approval blocked by policy

Approval is a gate, not a rubber stamp

Reviewers are pinged automatically. Authors can't approve their own work. Environments that require approval will not execute without it — enforced server-side, not in the UI.

dry-run · production (read-only)
@@ invoices · 4,182 documents match @@ { "_id": "inv_88213", "amount": 1450, - /* currency: missing */ + "currency": "USD" } ✓ 0 documents outside filter touched · no writes performed

See the blast radius before any write

Previews dry-run against the actual target environment and show before/after diffs and match counts. If the numbers look wrong, you find out here — not in an incident channel.

apply · run #2093
→ capturing before-snapshot… done (4,182 docs) → executing updateMany on invoices… ✓ modified 4,182 · matched 4,182 · errors 0 → after-snapshot stored · audit log written

Snapshots first. Always.

Before a single document changes, Qodara captures the affected state. Execution runs are recorded with full before/after snapshots, so "what exactly did this change?" always has an answer.

revert · from snapshot
→ restoring 4,182 documents from before-snapshot… ✓ invoices restored to pre-apply state → status: APPLIED → REVERTED · audit log written actor: fahad.alharbi · reason: "rate table not ready"

Undo is a feature, not a war room

Applied changes revert in one click using the captured snapshots. No hand-written rollback scripts at 2am, no guessing what the old values were.

The platform

Everything around the change, handled

Governance only works when it's the easiest path. Qodara makes the safe way the fast way.

🔐

SSO & role-based access

Single sign-on with domain allowlisting. Five focused roles — author, reviewer, operator, reverter, admin — mapped to fine-grained permissions and enforced on every API call.

🌍

Per-environment targets

Staging, production, whatever you run — each environment has its own connection, its own approval policy, and its own database-access controls. Secrets stay as references, never in the UI.

🧪

Dry-run previews

Every change can be simulated against its real target before it runs. Diffs, match counts, and failures surface in review — not in production.

📸

Snapshots & instant revert

Before/after state is captured on every apply. Reverting is a permissioned one-click action that restores from the snapshot — auditable like everything else.

🧾

Audit everything

Every workflow action, every execution run, every ad-hoc query is written to an audit log with actor, timestamp, and a diff-level summary. Compliance stops being archaeology.

🔎

Document Inspector

A read-only query workbench for humans: find, aggregate, or sandboxed scripts against any permitted environment — with its own audit trail.

⚙️

Six execution modes

Native operation JSON, sandboxed JavaScript, versioned migrations, repo-based migration scripts, Python, and template updates — one workflow governs them all.

💬

Slack-native reviews

Submitting a change pings its reviewers where they already are. Less "did you see my CR?", more shipping.

📊

Vision dashboards

Turn a plain-English question into a validated, saved dashboard artifact over your data — planned and executed by the AI layer, governed like everything else.

EZIO — the built-in copilot

An AI that reads everything,
and writes nothing

EZIO answers questions about your schema, your data, and your codebase — over read-only connections it cannot escalate. Try it:

E
EZIOread-only · routed to the right model per task
online
Hi! I can query your databases (read-only), search your codebase, and draft change requests for humans to review. What do you want to know?
▊ pick a question above — this demo is canned, the product is not

🛡️ Read-only by construction

EZIO's database access goes through connections that only permit reads — write attempts fail at the driver, not at a prompt's mercy.

🧭 Smart source routing

Each question is routed to the sources it actually needs — schema cards, a lexical code index, live queries — so answers are fast and grounded.

💸 Budgets & per-user credentials

Monthly spend quotas per user, encrypted per-user API credentials, and per-workload model selection keep cost and access under control.

🧾 Audited like everything else

Every EZIO conversation and every query it runs lands in its own audit log. The AI gets no special exemptions.

Security model

Designed for the paranoid reviewer

Signed service-to-service auth. Short-lived HMAC-signed tokens between web and API tiers — no shared sessions, no long-lived keys in the browser.
Server-side RBAC on every route. Permissions derive from roles and are enforced by API guards. The UI hides buttons; the server rejects requests.
Self-review blocked. A non-admin author can never approve or reject their own change request.
Secrets as references. Target connections can be stored as secret names resolved at runtime — connection strings are never returned by the API.
Encrypted AI credentials. Per-user AI tokens are stored AES-256-GCM encrypted; a global-key mode is available for centralized billing.
Per-database access control. Users can be scoped to specific databases; the check runs on every workflow action.

Stop pasting scripts into prod shells.

Qodara is self-hostable and slots in front of the databases you already run. Bring your database, your SSO, and your most skeptical reviewer.